Security
ejabberd:將 Diffie-Hellman (DH) 密碼位大小設置為 >= 2048
在現代版本中,
ejabberd
可以通過為. 我以三種不同的方式創建了不同的此類 DH 參數 pem 文件:dhfile``s2s_dhfile``ejabberd.yml
openssl dhparam -out dh.pem 2048 openssl dhparam -out dh.pem 4096 openssl genpkey -genparam -algorithm DH -out dhp4096.pem -pkeyopt dh_paramgen_prime_len:4096
將它們放入
/etc/ejabberd/
並相應地配置 ejabberd:hosts: - "somehost.tld" access: announce: admin: allow c2s: blocked: deny all: allow c2s_shaper: admin: none all: normal configure: admin: allow local: local: allow max_user_offline_messages: admin: 100 all: 100 max_user_sessions: all: 10 muc: all: allow muc_admin: admin: allow pubsub_createnode: all: allow register: all: allow s2s: all: allow s2s_shaper: all: fast acl: admin: user: - "admin": "somehost.tld" local: user_regexp: - "" blocked: user: - "reklama": "sj.ms" - "cc6523": "tigase.im" - "reklama403": "kdetalk.net" - "pp241331": "kdetalk.net" - "advertising": "bin.vc" - "swiped_su6070": "debianforum.de" auth_method: odbc odbc_database: "ejabberd" odbc_keepalive_interval: 3600 odbc_password: "YZucuq3vSdfPDnzs" odbc_port: 3306 odbc_server: "127.0.0.1" odbc_type: mysql odbc_username: "ejabberdusr" captcha_cmd: "/usr/lib/x86_64-linux-gnu/ejabberd/priv/bin/captcha.sh" captcha_host: "http://somehost.tld:5280" captcha_limit: 5 language: "en" define_macro: 'TLS_CIPHERS': "ECDH:DH:!CAMELLIA128:!3DES:!MD5:!RC4:!aNULL:!NULL:!EXPORT:!LOW:!MEDIUM" listen: - port: 5222 module: ejabberd_c2s certfile: "/etc/ejabberd/cert/somehost.tld.pem" dhfile: "/etc/ejabberd/dhp4096.pem" starttls: true starttls_required: true stream_management: true max_ack_queue: 1000 resend_on_timeout: true max_stanza_size: 65536 shaper: c2s_shaper access: c2s protocol_options: - "no_sslv3" ciphers: 'TLS_CIPHERS' resend_on_timeout: if_offline zlib: true - port: 5269 module: ejabberd_s2s_in transport: tcp max_stanza_size: 131072 shaper: s2s_shaper - port: 5280 module: ejabberd_http web_admin: true captcha: true loglevel: 2 max_fsm_queue: 1000 modules: mod_adhoc: [] mod_announce: access: announce mod_blocking: {} # requires mod_privacy mod_caps: [] mod_carboncopy: {} mod_configure: [] ## mod_admin_extra: [] mod_disco: [] mod_irc: [] mod_last: [] mod_muc: host: "muc.@HOST@" access: all access_create: all access_persistent: all access_admin: muc_admin max_users: 500 history_size: 1000 default_room_options: allow_change_subj: true allow_private_messages: true allow_private_messages_from_visitors: anyone allow_query_users: false allow_user_invites: true allow_visitor_nickchange: true allow_visitor_status: true anonymous: false captcha_protected: false logging: true max_users: 200 members_by_default: true members_only: false moderated: false password_protected: false persistent: false public: true public_list: true mod_muc_log: access_log: muc_admin dirname: room_name dirtype: subdirs file_format: html outdir: "/var/www/muc" spam_prevention: false timezone: local top_link: "/": "Jedem das Seine." mod_offline: access_max_user_messages: max_user_offline_messages mod_ping: {} mod_privacy: [] mod_private: [] ## mod_proxy65: ## access: all ## shaper: c2s_shaper mod_pubsub: access_createnode: pubsub_createnode pep_sendlast_offline: false last_item_cache: false plugins: - "flat" - "hometree" - "pep" mod_register: welcome_message: subject: "Welcome!" body: "Welcome" captcha_protected: true access: register mod_roster: [] mod_shared_roster: {} mod_stats: [] mod_time: [] mod_vcard: [] mod_version: [] mod_mam: db_type: odbc default: never registration_timeout: 600 outgoing_s2s_port: 5269 outgoing_s2s_timeout: 10000 s2s_access: s2s s2s_certfile: "/etc/ejabberd/cert/somehost.tld.pem" s2s_dhfile: "/etc/ejabberd/dhp4096.pem" s2s_use_starttls: required s2s_protocol_options: - "no_sslv3" s2s_ciphers: 'TLS_CIPHERS' shaper: normal: 1000 fast: 50000 watchdog_admins: - [] auth_password_format: plain fqdn: "somehost.tld"
這些 DH-params 文件都沒有工作。
XMPP.net
測試工具仍然警告:Server uses Diffie-Hellman parameters of < 2048 bits. Grade capped to B.
並且在“密碼”部分中
1024
確實有 bitsize,而不是2048
or4096
:這是我和我的配置還是 XMPP.net 工具?我如何自己檢查 DH 位大小?
該伺服器執行來自測試儲存庫的Debian 8.2 “Jessie”(穩定版)和ejabberd 15.09。
罪魁禍首被發現:Diffie-Hellman 參數由
erlang-p1-tls
. 因此,當您ejabberd
從testing儲存庫升級到版本時,您也應該將erlang-p1-tls
包升級到testing的版本!sudo apt-get install erlang-p1-tls/testing
實際上,要讓測試版的 ejabberd 在**穩定的Debian上正常工作,也需要將所有
erlang-*
軟體包更新到測試版。